Re: ClamAV detects Unix.Trojan.Gitpaste-9787170-0 ...

splunkuser444

Hello all,

ClamAV detected Unix.Trojan.Gitpaste-9787170-0 in file Splunk_Research_detections.json. This file appears to be a large repository of security research information and we'd like to verify if this detection is a true concern or if it is a false positive.

Threat detection file location: /opt/splunk/etc/apps/Splunk_Security_Essentials/appserver/static/vendor/splunk/Splunk_Research_detections.json

Splunk version: 9.4.0

Splunk Security Essentials version: 3.8.1

ClamAV detection: Unix.Trojan.Gitpaste-9787170-0

ClamAV version: 1.4.1/27629

ClamAV definition dates: April 24, 2025 through May 05, 2025

Security Essentials was installed on April 25, 2025 and ClamAV detections began immediately during the first scan following the install.

PickleRick

This is more of a question to ClamAV authors/database maintaners. I'd hazard a guess that the file contained within SE has some characteristic pieces of the Gitpaste method as part of its searches. And ClamAV detects their presence and flags the file. But I'd double-check it with ClamAV folks.

splunkuser444

Thanks for the suggestion PickleRick, I've also submitted a false positive report at https://www.clamav.net/reports/fp.

ClamAV detects Unix.Trojan.Gitpaste-9787170-0 in file Splunk_Research_detections.json

other

troubleshooting

.conf25 Registration is OPEN!

Detecting Cross-Channel Fraud with Splunk

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Are you a member of the Splunk Community?